Loading docker/grype.yml +31 −19 Original line number Diff line number Diff line --- # a vulnerability scanner for container images and filesystems # https://github.com/anchore/grype variables: GRYPE_IMAGE: "${CI_REGISTRY_IMAGE}:latest" GRYPE_SCOPE: "Squashed" GRYPE_OUTPUT_FORMAT: "table" GRYPE_FAIL_ON: "medium" SYFT_OUTPUT_FILE: ${CI_COMMIT_SHORT_SHA}.json SYFT_REGISTRY_AUTH_AUTHORITY: ${CI_REGISTRY} SYFT_REGISTRY_AUTH_USERNAME: ${CI_REGISTRY_USER} SYFT_REGISTRY_AUTH_PASSWORD: ${CI_REGISTRY_PASSWORD} GRYPE_IMAGE: ${CI_REGISTRY_IMAGE}:dev-${CI_COMMIT_SHORT_SHA} GRYPE_OUTPUT_FILE: ${CI_COMMIT_SHORT_SHA}.txt GRYPE_FAIL_ON_THRESHOLD: "critical" GRYPE_EXTRA_ARGS: "" GRYPE_DEFAULT_ARGS: "--only-fixed" GRYPE_CVE_BLACKLIST_REGEX: "" grype: image: registry.gitlab.com/just-ci/images/grype:latest .grype: # TODO: replace alpine and before script with our custom image image: alpine:3 stage: test before_script: - apk add --no-cache curl # versions are pinned to these because of a bug in grype v0.36.0 - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v0.35.1 - curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.31.1 script: - | echo "Will run grype on ${GRYPE_IMAGE}" skopeo copy --src-creds=${CI_REGISTRY_USER}:${CI_REGISTRY_PASSWORD} docker://"${GRYPE_IMAGE}" oci://${CI_PROJECT_DIR}/${CI_COMMIT_SHORT_SHA} echo "Running grype with following options:" echo "GRYPE_SCOPE=${GRYPE_SCOPE} selection of layers to analyze, options=[Squashed AllLayers] (default 'Squashed')" echo "GRYPE_OUTPUT_FORMAT=${GRYPE_OUTPUT_FORMAT} report output formatter, options=[json table cyclonedx] (default 'table')" echo "GRYPE_FAIL_ON=${GRYPE_FAIL_ON} set the return code to 1 if a vulnerability is found with a severity >= the given severity, options=[negligible low medium high critical]" - grype version - grype --scope=${GRYPE_SCOPE} --fail-on=${GRYPE_FAIL_ON} --output=${GRYPE_OUTPUT_FORMAT} ${GRYPE_EXTRA_ARGS} ${CI_PROJECT_DIR}/${CI_COMMIT_SHORT_SHA} - echo ${GRYPE_IMAGE} # 0) get the SBOM from syft - syft packages ${GRYPE_IMAGE} -o json > ${SYFT_OUTPUT_FILE} # 1) run grype on syft SBOM report to obtain a full grype report with all vulnerabilities - grype sbom:${SYFT_OUTPUT_FILE} --output=table --file ${GRYPE_OUTPUT_FILE} # 2) fail job if any of blacklisted vulnerabilities is in grype output. Grype does not provide blacklisting natively. - cat ${GRYPE_OUTPUT_FILE} | grep -E ${GRYPE_CVE_BLACKLIST_REGEX} && exit 1 || exit 0 # 3) fail job if vulnerabilities at or above GRYPE_FAIL_ON_THRESHOLD - grype sbom:${SYFT_OUTPUT_FILE} --output=table --file ${GRYPE_OUTPUT_FILE} --fail-on ${GRYPE_FAIL_ON_THRESHOLD} ${GRYPE_DEFAULT_ARGS} ${GRYPE_EXTRA_ARGS} artifacts: paths: - ${SYFT_OUTPUT_FILE} - ${GRYPE_OUTPUT_FILE} allow_failure: true Loading
docker/grype.yml +31 −19 Original line number Diff line number Diff line --- # a vulnerability scanner for container images and filesystems # https://github.com/anchore/grype variables: GRYPE_IMAGE: "${CI_REGISTRY_IMAGE}:latest" GRYPE_SCOPE: "Squashed" GRYPE_OUTPUT_FORMAT: "table" GRYPE_FAIL_ON: "medium" SYFT_OUTPUT_FILE: ${CI_COMMIT_SHORT_SHA}.json SYFT_REGISTRY_AUTH_AUTHORITY: ${CI_REGISTRY} SYFT_REGISTRY_AUTH_USERNAME: ${CI_REGISTRY_USER} SYFT_REGISTRY_AUTH_PASSWORD: ${CI_REGISTRY_PASSWORD} GRYPE_IMAGE: ${CI_REGISTRY_IMAGE}:dev-${CI_COMMIT_SHORT_SHA} GRYPE_OUTPUT_FILE: ${CI_COMMIT_SHORT_SHA}.txt GRYPE_FAIL_ON_THRESHOLD: "critical" GRYPE_EXTRA_ARGS: "" GRYPE_DEFAULT_ARGS: "--only-fixed" GRYPE_CVE_BLACKLIST_REGEX: "" grype: image: registry.gitlab.com/just-ci/images/grype:latest .grype: # TODO: replace alpine and before script with our custom image image: alpine:3 stage: test before_script: - apk add --no-cache curl # versions are pinned to these because of a bug in grype v0.36.0 - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v0.35.1 - curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.31.1 script: - | echo "Will run grype on ${GRYPE_IMAGE}" skopeo copy --src-creds=${CI_REGISTRY_USER}:${CI_REGISTRY_PASSWORD} docker://"${GRYPE_IMAGE}" oci://${CI_PROJECT_DIR}/${CI_COMMIT_SHORT_SHA} echo "Running grype with following options:" echo "GRYPE_SCOPE=${GRYPE_SCOPE} selection of layers to analyze, options=[Squashed AllLayers] (default 'Squashed')" echo "GRYPE_OUTPUT_FORMAT=${GRYPE_OUTPUT_FORMAT} report output formatter, options=[json table cyclonedx] (default 'table')" echo "GRYPE_FAIL_ON=${GRYPE_FAIL_ON} set the return code to 1 if a vulnerability is found with a severity >= the given severity, options=[negligible low medium high critical]" - grype version - grype --scope=${GRYPE_SCOPE} --fail-on=${GRYPE_FAIL_ON} --output=${GRYPE_OUTPUT_FORMAT} ${GRYPE_EXTRA_ARGS} ${CI_PROJECT_DIR}/${CI_COMMIT_SHORT_SHA} - echo ${GRYPE_IMAGE} # 0) get the SBOM from syft - syft packages ${GRYPE_IMAGE} -o json > ${SYFT_OUTPUT_FILE} # 1) run grype on syft SBOM report to obtain a full grype report with all vulnerabilities - grype sbom:${SYFT_OUTPUT_FILE} --output=table --file ${GRYPE_OUTPUT_FILE} # 2) fail job if any of blacklisted vulnerabilities is in grype output. Grype does not provide blacklisting natively. - cat ${GRYPE_OUTPUT_FILE} | grep -E ${GRYPE_CVE_BLACKLIST_REGEX} && exit 1 || exit 0 # 3) fail job if vulnerabilities at or above GRYPE_FAIL_ON_THRESHOLD - grype sbom:${SYFT_OUTPUT_FILE} --output=table --file ${GRYPE_OUTPUT_FILE} --fail-on ${GRYPE_FAIL_ON_THRESHOLD} ${GRYPE_DEFAULT_ARGS} ${GRYPE_EXTRA_ARGS} artifacts: paths: - ${SYFT_OUTPUT_FILE} - ${GRYPE_OUTPUT_FILE} allow_failure: true
